security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke 3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Thomas Patzke 7141729ffc sigma/parser: Introduced new conditions 
* Any definition: 1 of them
* All definitions: all of them
* Any of selected definitions: 1 of def* (wildcard)
* All of selected definitions: all of def* (wildcard)
 2018-03-06 23:13:42 +01:00
Florian Roth b9102d0b0a Improved sigma2elastalert 2018-03-05 12:05:47 +01:00
Florian Roth 1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00
Thomas Patzke 6b69f423da Merging sigma2elastalert 2018-03-04 23:27:23 +01:00
Thomas Patzke 17e8f06161 Added notice regarding contributed tools 2018-03-04 23:26:38 +01:00
David ROUTIN 00177560ca Added sigma2elastalert.py 2018-03-04 23:26:06 +01:00
Thomas Patzke 5a97befea0 Sigma tools release 0.2 0.2 2018-03-04 23:03:19 +01:00
Thomas Patzke 59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke 647fc6187a sigmac: Added proper 'Content-Type' header for xpack-watcher backend 2018-03-04 22:58:15 +01:00
Thomas Patzke 4792700726 Fixed rule 2018-03-04 22:07:01 +01:00
Thomas Patzke 01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth 6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth 69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth 6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth f2057f0c77 Hurricane Panda activity 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 2018-02-25 17:24:00 +01:00
Florian Roth 1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth 25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth 9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
Dominik Schaudel cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Thomas Patzke 6f6d662ae5 Dropped support for Python 3.4 
Dict unpacking in dict initialization not supported in Python 3.4.
 2018-02-11 22:48:40 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth 443afcba0a README Update: Rule creation tutorial, smaller fixes 2018-02-10 15:24:43 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Thomas Patzke 89aa300bbc Improved xpack-watcher actions 
* Log and mail
* Details in message
 2018-02-09 00:03:41 +01:00
Thomas Patzke 8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke 4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke 841bb65ca0 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-05 22:51:37 +01:00
Thomas Patzke 69efb05c5f First draft of Rx schema 2018-02-04 00:27:09 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Thomas Patzke 01d6b2be3a Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-01 22:49:52 +01:00
Thomas Patzke ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Florian Roth 635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth 4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
Sherif Eldeeb 376d0414d8 Condition is a str, not a list 
To be consistent with schema and all the other rules:
- `condition` should be a `str`
- if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list`
 2018-01-28 16:16:00 +03:00
Sherif Eldeeb 90a8cc9d40 Merge pull request #3 from Neo23x0/master 
Merge pull request #64 from SherifEldeeb/master
 2018-01-28 16:11:19 +03:00
Thomas Patzke f35c50049f Merge pull request #64 from SherifEldeeb/master 
Update rules to reflect schema changes "and add consistency"
 2018-01-28 10:56:27 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00